8e28d22c91
* gnu/packages/patches/libtiff-CVE-2012-4564.patch, gnu/packages/patches/libtiff-CVE-2013-1960.patch, gnu/packages/patches/libtiff-CVE-2013-1961.patch, gnu/packages/patches/libtiff-CVE-2013-4231.patch, gnu/packages/patches/libtiff-CVE-2013-4232.patch, gnu/packages/patches/libtiff-CVE-2013-4243.patch, gnu/packages/patches/libtiff-CVE-2013-4244.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch, gnu/packages/patches/libtiff-CVE-2014-8129.patch, gnu/packages/patches/libtiff-CVE-2014-9330.patch, gnu/packages/patches/libtiff-CVE-2014-9655.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[source]: Add patches.
89 lines
2.4 KiB
Diff
89 lines
2.4 KiB
Diff
Copied from Debian
|
|
|
|
From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001
|
|
From: erouault <erouault>
|
|
Date: Mon, 29 Dec 2014 12:09:11 +0000
|
|
Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't
|
|
read outside of the compressed input stream buffer.
|
|
|
|
* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
|
|
---
|
|
ChangeLog | 9 +++++++++
|
|
libtiff/tif_getimage.c | 12 +++++++-----
|
|
libtiff/tif_next.c | 4 +++-
|
|
3 files changed, 19 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
|
index a4f46d9..3ad8ee7 100644
|
|
--- a/libtiff/tif_getimage.c
|
|
+++ b/libtiff/tif_getimage.c
|
|
@@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
|
|
|
|
(void) y;
|
|
fromskew = (fromskew * 10) / 4;
|
|
- if ((h & 3) == 0 && (w & 1) == 0) {
|
|
+ if ((w & 3) == 0 && (h & 1) == 0) {
|
|
for (; h >= 2; h -= 2) {
|
|
x = w>>2;
|
|
do {
|
|
@@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
|
|
/* XXX adjust fromskew */
|
|
do {
|
|
x = w>>2;
|
|
- do {
|
|
+ while(x>0) {
|
|
int32 Cb = pp[4];
|
|
int32 Cr = pp[5];
|
|
|
|
@@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
|
|
|
|
cp += 4;
|
|
pp += 6;
|
|
- } while (--x);
|
|
+ x--;
|
|
+ }
|
|
|
|
if( (w&3) != 0 )
|
|
{
|
|
@@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
|
|
fromskew = (fromskew * 4) / 2;
|
|
do {
|
|
x = w>>1;
|
|
- do {
|
|
+ while(x>0) {
|
|
int32 Cb = pp[2];
|
|
int32 Cr = pp[3];
|
|
|
|
@@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
|
|
|
|
cp += 2;
|
|
pp += 4;
|
|
- } while (--x);
|
|
+ x --;
|
|
+ }
|
|
|
|
if( (w&1) != 0 )
|
|
{
|
|
diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
|
|
index d834196..dd669cc 100644
|
|
--- a/libtiff/tif_next.c
|
|
+++ b/libtiff/tif_next.c
|
|
@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
|
|
TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
|
|
return (0);
|
|
}
|
|
- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
|
|
+ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
|
|
n = *bp++, cc--;
|
|
switch (n) {
|
|
case LITERALROW:
|
|
@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
|
|
* The scanline has a literal span that begins at some
|
|
* offset.
|
|
*/
|
|
+ if( cc < 4 )
|
|
+ goto bad;
|
|
off = (bp[0] * 256) + bp[1];
|
|
n = (bp[2] * 256) + bp[3];
|
|
if (cc < 4+n || off+n > scanline)
|